and compared to a detection threshold to decide whether is watermarked or not. If the detection function is deterministic, the set (1)

Transcription

1 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 3, SEPTEMBER On Reliability and Security of Randomized Detectors Against Sensitivity Analysis Attacks Maha El Choubassi, Member, IEEE, and Pierre Moulin, Fellow, IEEE Abstract Despite their popularity, spread spectrum schemes are vulnerable against sensitivity analysis attacks on standard deterministic watermark detectors. A possible defense is to use a randomized watermark detector. While randomization sacrifices some detection performance, it might be expected to improve detector security to some extent. This paper presents a framework to design randomized detectors with exponentially large randomization space and controllable loss in detection reliability. We also devise a general procedure to attack such detectors by reducing them into equivalent deterministic detectors. We conclude that, contrary to prior belief, randomization of the detector is not the ultimate answer for providing security against sensitivity analysis attacks in spread spectrum systems. Instead, the randomized detector inherits the weaknesses of the equivalent deterministic detector. Index Terms Chernoff bounds, detection security, error exponents, generalized Gaussian distribution (GGD), maximum likelihood (ML), randomization, security, sensitivity attacks, spread spectrum, watermarking. I. INTRODUCTION I NFORMATION hiding and watermarking have gained a lot of interest in the research community since Briefly, information hiding is about the imperceptible embedding of information inside a host such as multimedia data or software script. It has a wide spectrum of applications including copyright protection of digital media, fingerprinting, media forensics, and steganography. In this paper, we focus on the copyright protection application. We also consider a popular watermark embedding scheme: the additive spread spectrum technique. In this setup, all signals are elements of. The original host signal is either left unchanged (unwatermarked), or a watermark signal is additively embedded into, resulting in the watermarked signal. The watermark is shared between the embedder and the detector as illustrated in Fig. 1. Once a signal is input to the detector, a real-valued detection function is evaluated Manuscript received December 12, 2007; revised March 19, First published May 05, 2009; current version published August 14, This work was supported by the National Science Foundation (NSF) under Grant CCR This work was presented in part at the SPIE Conference on Security, Steganography, and Watermarking of Multimedia Contents, San Jose, CA, January 2006, and in part at the IEEE International Conference on Image Processing, San Antonio, TX, September The associate editor coordinating the review of this manuscript and approving it for publication was Dr. Reginald Lagendijk. M. El Choubassi is with the Intel Microprocessor Research Laboratory, Santa Clara, CA USA ( maha.el.choubassi@intel.com). P. Moulin is with the University of Illinois at Urbana-Champaign, Urbana, IL USA ( moulin@ifp.uiuc.edu). Color versions of one or more of the figures in this paper are available online at Digital Object Identifier /TIFS Fig. 1. Watermark embedder and the watermark detector. and compared to a detection threshold to decide whether is watermarked or not. If the detection function is deterministic, the set is called the detection boundary for the detector. When watermarking a signal, several requirements must be satisfied [9], [12]. The security of the watermarking scheme is one of the fundamental requirements. This paper investigates security against sensitivity analysis attacks, which aim at removing the watermark. Having access to a watermark detector and a watermarked signal, the attacker s goal is to construct a pirated copy, which is perceptually similar to the original watermarked signal and does not trigger a positive response from the detector. The results of [1] [9] show that spread spectrum techniques are critically vulnerable to sensitivity analysis attacks. In [6] and [7], we provided a general mathematical framework to study such attacks. More specifically, the attacker systematically changes into auxiliary signals and inputs them to the detector. Through the leaked information about the watermark, the attacker obtains an estimate of. He subsequently removes it from to produce the pirated copy. It turns out that for a wide class of detectors, all deterministic, the number of detection operations needed by the attacker to estimate the watermark is generally linear in the size of the signal [6], [7]. Another crucial requirement of the watermarking scheme is the reliability of the watermark detector. Watermark detection is a binary hypothesis testing problem [13]. Assuming a probabilistic model on the host signal, the performance of the detector can be evaluated in terms of error probability. One possibility is to choose the maximum likelihood (ML) detector as the watermark detector in order to minimize the probability of error. However, the watermark detector is the source of leakage of information about the watermark. Therefore, the ML detector may not be the best choice in terms of providing security against sensitivity analysis attacks. Based on this observation, randomization of the detector appears to be the natural remedy for security of spread spectrum schemes. This suggests a tradeoff between the reliability and the security of the detector. In [2], Linnartz and van Dijk suggest the use of a correlation detector but with a randomized threshold. Yet, the workload of (1) /$ IEEE

2 274 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 3, SEPTEMBER 2009 the attacker to recover the watermark remains linear as acknowledged by the authors. Venkatesan and Jakubowski [8] also used randomized detection to increase security. First, the detector chooses many pseudorandom subsets over the support of the watermarked data. Next, the detection statistic is computed as the median of the correlations over each subset. This countermeasure is clearly more sophisticated than that of [2]. Still, it is not certain that the spread spectrum scheme using such a detector will be truly secure [8]. In fact, we show the contrary in this paper. Noting the tradeoff between security and detection performance, we propose in this paper a methodology to design randomized but still reliable detectors. To make the presentation concrete, we assume a generalized Gaussian distribution (GGD) on the host signal. We then build a framework to control the loss in the detection performance using classical detection-theoretic tools: large deviation analysis and Chernoff bounds [13]. However, while these techniques provide a precise characterization of detector performance, they do not quantify the vulnerability of a watermarking scheme against sensitivity analysis attacks. In the second part of this paper, we construct attack algorithms against randomized detectors. By generating auxiliary signals on the average detection boundary, we reduce the randomized detection scheme into an equivalent deterministic one. Subsequently, the attack algorithms built in [6] and [7] against deterministic watermark detectors are applied to the equivalent detector in order to estimate and then remove the watermark. The overall attacks are still powerful, and for the GGD/spread-spectrum watermarking model considered in this paper, we show that the attacker retains the upper hand. The organization of this paper is as follows. Below we briefly explain the notation used in the paper. In Section II, we present a general framework to design reliable randomized detectors. Next, we describe a general attack algorithm against randomized detectors in Section III. In Sections IV and V, we apply our general attack algorithm to three families of randomized detectors. To verify the validity of our analysis, we present experimental results in Section VI. Finally, we conclude in Section VIII. Definitions and Notation: We consider several families of randomized detectors. The randomness is due to one or several random parameters denoted as and drawn by the detector from a probability distribution, possibly dependent on. The watermark is fixed but unknown to the attacker. The randomized detection statistic for detector input is,to be compared against the threshold. The response of the detector is binary; the detector s response is binary if else For a collection of random variables, we use the shorthand to indicate that the probability is computed with respect to. Similarly, denotes expectation with respect to. II. DESIGNING RELIABLE RANDOMIZED DETECTORS The results in [1] [9] stress the need for more secure detection methods. This suggests introducing substantial randomness into the detector. However, this is achieved at the expense of detection performance, a fact that was not emphasized before [2], [8]. Therefore, we aim at designing a very large class of randomized detectors with controllable detection reliability. A. Randomization Scheme The detection problem is a test with two hypotheses, and. The watermark is fixed and its samples are taken from an alphabet with cardinality. The empirical distribution (first-order histogram) of these samples over is. The signal input to the detector is. is the hypothesis that is not embedded in while indicates that is embedded is the host signal. The samples, are assumed to be independent and identically distributed (iid), with probability density function (pdf). The optimal detector for the problem (2) is the log likelihood ratio test [13] is the threshold of the test, which controls the tradeoff between probabilities of false positives and false negatives. To randomize the detector, we choose pdfs,, mismatched (in a controllable way) to the pdf. To each corresponds a log likelihood ratio for the detector. The mismatch is measured by the information divergence (or Kulback Leibler divergence) between and, defined as This measure is equal to zero for a perfect match. We assume that the pdfs and have common support. The signal domain is partitioned into subsets (please refer to Fig. 2). The partition is generated as follows. Let be iid random variables with alphabet and probability mass function For each signal component, indicates to which subset,, this component belongs. Hence the probability that a component is in subset is, and is equal to one. The randomization parameter is, and the randomized detection function is given by The number of all possible partitions is essentially equal to, denotes the entropy of the probability distribution. Therefore, the number (2) (3) (4) (5) (6)

3 EL CHOUBASSI AND MOULIN: ON RELIABILITY AND SECURITY OF RANDOMIZED DETECTORS 275 is the normalized threshold, and (10) Fig. 2. Example partition of the signal domain. of all possible partitions is exponential in. Hence, we generate an exponentially large class of randomized test statistics, and the security enhancement comes from the randomness of the sets. For comparison, Linnartz and van Dijk [2] increase the security of the watermarking scheme by randomizing the detection threshold which belongs to an uncertainty interval. Hence, the randomization parameter used is resulting in the test statistic. Obviously, the size of the parameter space in our scheme is much larger. In Venkatesan and Jakubowski s paper [8], the detection statistic is the median of the correlation statistic calculated over several randomly selected subsets of the signal. In our scheme, the test statistic in (6) is a mixture of several good statistics computed over the randomized subsets. B. Detection Reliability and Error Exponents Our test statistic in (6) is amenable to a precise performance analysis. While it is generally infeasible to compute the probability of error analytically, we use large deviation techniques and Chernoff bounds [13] to derive bounds of the form and is the large deviation function is the maximum of this function realized at By the Gäartner Ellis theorem [18], the inequality (7) is tight on the exponential scale The analysis is made for a given watermark known to the detector. The probability of false positive is defined as We obtain the large deviations upper bound on as (7) (8) (9) is the false-alarm exponent. The derivation is given in the Appendix. Similarly, the probability of false negative is defined as and satisfies the large deviations bound (11) (12) (13) is the miss exponent. Assuming the two hypotheses and are equiprobable, the average error probability is equal to Combining (9), (12), and (14), we obtain (14) Since the test statistic is not the log likelihood ratio corresponding to the actual probability distribution on,we have a mismatched detector. In particular, the false-alarm and miss exponents of (10) and (13) may not be positive, i.e., and may not decay to zero exponentially with increasing. In his paper, Kazakos derives the performance of such detectors and provides a necessary and sufficient condition for exponential convergence [14]. However, this condition is given for the case when the observations are iid under both hypotheses and, and the mismatched detector also assumes iid observations under and. In our scenario, the host samples, are iid. Hence, under, the observations are iid. However, under, the observations are independent but not identically distributed. The mismatched detector assumes that the host samples are independent with the samples in subset following distributions for all. In [10], we derived a necessary and sufficient condition for exponential decay of the probability of error with assuming independent observations but not necessarily identically distributed. From (14), it is clear that decays exponentially to zero if both and decay exponentially to zero. This property is guaranteed if and only if there exist a pair satisfying and

4 276 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 3, SEPTEMBER 2009 Analyzing the first-order and second-order derivatives of and with respect to, a necessary and sufficient condition for exponential decay of is obtained in an analysis similar to that in [10] as the DCT image coefficients are assumed to be iid Laplacian with variance 100 and mean 0. This corresponds to a host to watermark ratio of 20 db. The variance of each GGD is also 100 if we set (15) is the shifted probability distribution. If (15) is satisfied, there is an optimal value for the threshold that results in the tightest bound on the average probability of error. In order for this bound to be optimal, the two exponents, and, have to be equal, otherwise the worse one, i.e., the smaller one, will dominate the other. From (10) and (13), the equalizing value for is 0. Next, we obtain the optimal bound by maximizing the exponent over Referring to (3), we use and generate three detection functions corresponding to the following three values of and. The large deviation function of detector, is defined as with exponent (16) C. Application to Images We used the scheme of Section II-A to design reliable randomized detectors for image spread spectrum watermarking. It is common to model the discrete cosine transform (DCT) coefficients of an image as iid random variables distributed according to a GGD [15]. Therefore, in order to get good statistics, we choose GGD distributions (17) is the scale parameter and is the exponent of the GGD. For each component, indicates to which subset this component belongs. The randomized detection function is given by (18) Substituting (17) into (16), we obtain the tightest upper bound on as For illustration, assume the watermark is binary, i.e.,, with symmetric empirical distribution, and is embedded in the DCT image coefficients. Let, i.e., The functions are shown in Fig. 3. The matched log likelihood ratio test corresponding to results in the largest exponent, i.e., the minimum probability of error. This is expected because this is the matched detector, i.e., the optimal one. Conversely, the detection test corresponding to results in the smallest, i.e., the most mismatched, exponent. For, the error exponent is. For our randomized test, we chose a uniform distribution. The error exponent for our randomized test is, between the previously stated best and worst exponents. In summary, considering the vulnerability of spread spectrum techniques, we can randomize the detector in the hope of improving security. However, this improvement causes some reduction in detection reliability. By carefully selecting the randomized test statistic as a mixture of good statistics, we can simultaneously design an exponentially large randomization space with guaranteed reliable detection. In addition to the necessary and sufficient condition for exponential decay of the average probability of error, we have derived upper and lower bounds on the exponent of decay. III. GENERALIZED ATTACK AGAINST RANDOMIZED DETECTORS In this section, we design an attack that essentially reduces a randomized detector into an equivalent deterministic one. The attack consists of three steps. The first one converts the randomized detector into an equivalent deterministic one. The second step applies a sensitivity analysis attack against this equivalent deterministic detector. The third step removes the estimated watermark from the watermarked signal, yielding a pirated copy. A. Preliminaries We consider a randomized detector with detection statistic. The analysis is made for given watermark and signal. In (1), we defined the detection boundary for a deterministic detector. Here we define the -boundary as the topological boundary of the set of signals such that (19)

5 EL CHOUBASSI AND MOULIN: ON RELIABILITY AND SECURITY OF RANDOMIZED DETECTORS 277 Fig. 3. Illustration of our randomized detector, a mixture of three test statistics. Fig. 4. (a) Deterministic boundary. (b) p-boundary for the two-dimensional case. For most of the detectors of interest and for at least one value of, it turns out that the -boundary is the set of signals that satisfy the following equality: (20) The subtle difference between the two definitions of is illustared in Section IV. Since the attacker has control over the choice of, we assume that he selects such a value for and from now on we will use the definition (20) of in the paper. 1 Therefore, when a signal on the -boundary is input to the detector times, the expected number of positive responses is equal to. For a graphical illustration, please look at Fig. 4. In the subsequent sections, we consider three families of randomized detectors: randomized threshold detectors [2], randomized GGD detectors [10], and subset selection detectors. We will 1 Except for the last part of Section IV, we explicitly indicate the use of definition (19) for B. show that the -boundary for each family is the same as the boundary for an equivalent deterministic detector. Specifically, the signals that belong to, also satisfy the detection boundary equation (1) for some deterministic detector with the same watermark. Hence, finding points on the -boundary of the randomized detector is the same as finding points on the equivalent deterministic detection boundary. But doing so is the key for successful sensitivity analysis attacks against deterministic detectors. In fact, we derived in [6] and [7] attack algorithms against two families of detectors that satisfy specific assumptions. In the first family, the detection statistic is a function of the correlation of the input signal and the watermark. The detection function is invertible in terms of the watermark [6], [7, Sec. IV]. In the second family, the detection function is twice differentiable and has an invertible gradient with respect to the watermark [6], [7, Sec. V]. Hence the attacker can generate points on the -boundary and leverage the algorithms of [6] and [7] to attack the equivalent deterministic detector if it obeys the above

6 278 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 3, SEPTEMBER 2009 mentioned assumptions. This detector uses the same watermark as the randomized detector. This attack produces an estimate of the watermark. Finally, the attacker subtracts from the watermarked signal, resulting in the pirated copy. A successful attack against the equivalent deterministic detector is automatically successful against the randomized detector. The next section provides more details on how to generate signals that satisfy (20) with a controllable and arbitrarily high degree of accuracy. The attacker can then obtain arbitrarily close to the original watermark. The accuracy of the estimate is measured by the normalized correlation coefficient (21) and the mean squared distortion (22) Fig. 5. Randomized threshold detector: 2 is a uniformly distributed random variable over [a; b]. The closer is to one and to zero, the better the estimate is. B. Generating Points on the -Boundary For a given randomized detector with watermark, a signal, a direction, and a probability, the task of finding a scalar such that the signal belongs to relies on the following subproblem. For a real number, the attacker constructs the test signal and desires to evaluate the probability The attacker, who does not know but has access to the detector, would need an infinite number of detection probes of to obtain the exact value of. Since this is not possible, he sets a finite number of detection probes to be used. He inputs the signal to the detector times and records the binary detector responses. Then, he estimates as IV. RANDOMIZED THRESHOLD DETECTOR To begin with a simple example, consider a deterministic detection test, e.g., the correlation detection test, with randomized threshold. As in [2], the detection threshold is a real-valued random variable with pdf. Equivalently, the detector may be viewed as a randomized detector with zero threshold Owing to (20) and (23), is the set of signals such that (23) (24) For example, when is a uniform random variable over an interval, the -boundary is given by In this case, is the detection boundary of the equivalent deterministic detector are iid Bernoulli random variables with probability. By the law of large numbers, converges to both almost surely and in the mean square sense. The variance of the estimation error,, tends to zero as. Next, define the binary function if else. The attacker can use any search algorithm, in particular the binary search algorithm, and use the function in the search queries to obtain an estimate of and hence obtain a signal,, that is approximately on the -boundary. Each step of the binary search algorithm involves the subproblem of estimating needed to evaluate. On one side, by increasing, the precision error of each step of the algorithm decreases as. On the other side, the accuracy of the binary search algorithm increases with the number of steps at an exponential rate. with threshold. Therefore, any of the attack algorithms developed against deterministic detectors can be applied to estimate the watermark. For example, if the detector is a correlation detector, the attack in Section IV B in [7] can be used. Please refer to Fig. 5 for an illustration of this attack. Another example is when the randomized detection threshold is Bernoulli distributed over with equal probability. First, we compute Using definition (20) of would result in volume or empty sets. Therefore, for this example, we must resort to the original definition of the -boundary in (19). We obtain the region

7 EL CHOUBASSI AND MOULIN: ON RELIABILITY AND SECURITY OF RANDOMIZED DETECTORS 279 Checking the conditions of Lindeberg s generalized central limit theorem (CLT) [17], we conclude that the normalized random variable (26) Fig. 6. Randomized threshold detector: 2 is a Bernoulli random variable 2 fa; bg with probablity (1)=(2). converges in distribution to a Gaussian random variable with mean 0 and variance 1, as. Therefore, the -boundary in (25) is characterized by Therefore, for any and we obtain in (19) as for for is the topological boundary of for for as is the Gaussian tail function ( -function). Therefore, we approximate the -boundary for the randomized detector by Please see Fig. 6 for illustration. Consequently, when finding points on the -boundary for, the attacker reduces the randomized detector into an equivalent deterministic detector with detection statistic and threshold. Similarly, for, the equivalent deterministic detection statistic is with threshold. From these two examples, we see the difference between definitions (19) and (20) of the -boundary. While definition (20) works for most detectors, like the detector with uniformly distributed threshold, we still need to use definition (19) in some cases. V. RANDOMIZED GGD DETECTORS MIXTURE In Section IV, a single parameter was randomized. In Section II, we studied a class of detectors with extremely large randomization space. Each time the detector is probed, the support of the signal is partitioned into random subsets (Fig. 2). From (18) and (20), the -boundary is the set of signals that satisfy (25) To compute this probability, we derive the distribution of the sum of random variables. First, due to the independence of in (18) are also independent (but not identically distributed due to the dependency on and ). The expected value and the variance of conditioned on and are, respectively, given by (27) This can be viewed as the boundary for an equivalent deterministic detector with test statistic (28) and same threshold as the randomized detector. The detection function (28) is highly nonlinear in. However, with the choice of is zero and (28) simplifies into (29) which is the expected value of the individual GGD detection functions. In order to attack the equivalent deterministic detector in (29), we use the methods from [6] and [7]. In particular, [7] describes an efficient attack against GGD detectors of the form (30) The attacker could approximate the detector of (29) with such a GGD detector by selecting and

8 280 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 3, SEPTEMBER 2009 Fig. 7. Histograms for the normalized correlation between w and ^w. The bars with circles correspond to the attacks with N =5probes, while those with crosses correspond to attacks with N =100probes., and then launching the attack described in [7, Sec. V-C]. While (30) is a coarse approximation to (29) (except of course in the degenerate case ), we shall see that this attack performs quite well. Hence an optimized attack designed along the guidelines of [7] should perform even better. VI. EXPERIMENTAL RESULTS We consider a randomized GGD detector (see Section V) with and GGD exponents and. For an image of size 64 64, we generated 31 pseudorandom binary watermarks with equal energy,, resulting in 31 watermarked signals. Against each such signal, we ran our sensitivity analysis attack algorithm with, four times with, and four other times with. Therefore, we have in total 124 attacks with, and another 124 attacks with. To measure the degree of success of these attacks, we compute the normalized correlation from (21), and the mean squared distortion from (22) (please see Figs. 7 and 8). As shown in Fig. 7, attacks with result in larger correlation than those with. In fact, for 48% of the attacks with, the correlation is larger than 70%, i.e.,. However, for only 2% of the attacks with, wehave. Similarly, Fig. 8 depicts smaller distortion for attacks with than those with. More accurately, we have for 48% of the attacks with, while that is true for only 0.81% for the attacks with. These experiments validate the efficiency of our new attack algorithms. By increasing the number of probes, the accuracy of our estimate increases as we expected. By tuning, the attacker can generate the auxiliary points closer to the 0.5-boundary, hence increasing the degree of success of the attack. VII. SUBSET SELECTION DETECTOR In this section, we show how to break the randomized detector of Venkatesan et al. [8]. The scheme is based on selecting a detection function 2 (31) computed over a subset. Next, the detector randomly selects many possibly overlapping subsets in the support set of the signal and evaluates the detection statistic over each such subset according to (31) (please see Fig. 9). The actual detection coefficient is the median of these statistics. The authors argue that such a detector is secure against attacks that learn the watermark by introducing large changes to the value of the signal at one component. We show that the scheme is still breakable using sensitivity attacks. In particular, using the concept of -boundary, we derive the equivalent deterministic detector, which can be attacked by the algorithms of [6] and [7]. Let be the number of subsets selected and be the mask corresponding to subset. That is, indicates that the th component of the signal belongs 2 The authors in [8] use a correlation detector, i.e., t (y ;w ) = y w,but we consider a more general setting.

9 EL CHOUBASSI AND MOULIN: ON RELIABILITY AND SECURITY OF RANDOMIZED DETECTORS 281 Fig. 8. Histograms of the mean square distortion between w and ^w. The -boundary for this detector is characterized by (32) Fig. 9. Partition of the image support into two sets (K =2). (a) Disjoint sets. (b) Overlapping sets. to. In our model, is a sequence of iid Bernoulli random variables with probability with probability with probability Furthermore, the masks are mutually independent. The th detection statistic is defined as (33) In this setting, the randomization parameters are and the resulting randomized function is given by We now derive an expression for the probability. Let. The random variables are conditionally independent but not identically distributed, given and. Their mean and variance are, respectively, given by Define the iid binary random variables if else Again, we use the generalized CLT and check Lindeberg s conditions [17]. As tends to, the random variable defined in (26) converges in distribution to a normal random variable

10 282 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 3, SEPTEMBER 2009, resulting in detectors. It has been believed that such detectors can significantly improve the security of the watermarking scheme. However, this is not the case, even if the randomized parameter space is huge and if the detector is reliable. Using the new concept of -boundary, we can transform randomized detectors into equivalent deterministic ones. In this case, the attacks in our previous work [6], [7] are applicable. Hence, the remarkable conclusion is that randomized detectors are almost as vulnerable to sensitivity analysis attacks as deterministic detectors. as APPENDIX The large deviations upper bound (9), (10) on the false-alarm probability (8) is derived here. Substituting (6) into (8), we obtain Therefore, after choosing, the attacker calculates the corresponding value of. Now he aims at constructing signals on the approximate -boundary defined as (35) Recall from (3) that. By our assumption below (4), we obtain. Markov s inequality applied to (35) yields (34) If the attacker selects, then, and is the detection boundary of the equivalent deterministic detector (36) Since under and the variables and are iid, (36) becomes Consequently, the equivalent deterministic detector is the simple correlation detector but with its value scaled down by a constant factor. The powerful attack algorithm derived in [6] and [7] against such detectors can be used against the equivalent deterministic detector, hence breaking this randomized detector. Finally, it is the -boundary that summarizes the interaction between randomization and security: the complexity and the amount of randomization introduced into the detector are indeed reflected in the -boundary. For the randomized threshold detector, little randomization is introduced, and hence its -boundary itself is as simple as the original deterministic boundary (see Section IV). However, that is not the case for the highly randomized GGD detectors mixture or the subset selection detector. From (27) and (34), we see that the approximate -boundary is quite involved and is only simplified by careful choices of and. Let us analyze the expectation term above: (37) (38) As described at the beginning of Section II A, the number of samples marked with is equal to, for all. This property together with (38) yields VIII. CONCLUSION Our previous work [6], [7] developed sensitivity analysis attacks against deterministic detectors of additive spread spectrum watermarks. We proved the weakness of these schemes by constructing powerful attacks against them. This paper has studied the security of spread spectrum schemes against randomized (39)

11 EL CHOUBASSI AND MOULIN: ON RELIABILITY AND SECURITY OF RANDOMIZED DETECTORS 283 Substituting (39) into (37), the large deviation bound on the probability of false alarm is given by. Finally, using (3), we obtain (9) and (10). REFERENCES [1] I. J. Cox and J. P. M. G. Linnartz, Public watermarks and resistance to tampering, in Proc. Int. Conf. Image Processing (ICIP), Santa Barbara, CA, 1997, [CD-ROM]. [2] J. P. Linnartz and M. van Dijk, Analysis of the sensitivity attack against electronic watermarks in images, in Proc. Workshop of Information Hiding, Portland, OR, Apr. 1998, pp [3] T. Kalker, J. P. Linnartz, and M. van Dijk, Watermark estimation through detector analysis, in Proc. Int. Conf. Image Processing (ICIP), Chicago, IL, Oct. 1998, vol. 1, pp [4] A. Tewfik and M. Mansour, LMS-based attack on watermark public detectors, in Proc. IEEE Int. Conf. Image Processing (ICIP), Rochester, NY, Sep. 2002, pp [5] P. Comesãna, L. Pérez-Freire, and F. Pérez-Gonzaléz, The return of the sensitivity attack, in Proc. IWDW, Siena, Italy, 2005, pp [6] M. El Choubassi and P. Moulin, A new sensitivity analysis attack, in Proc. SPIE Conf., San Jose, CA, Jan. 2005, pp [7] M. El Choubassi and P. Moulin, Noniterative algorithms for sensitivity analysis attacks, IEEE Trans. Inf. Forensics Security, vol. 2, no. 2, pp , Jun [8] R. Venkatesan and M. H. Jakubowski, Randomized detection for spread-spectrum watermarking: Defending against sensitivity and other attacks, in Proc. ICASSP, Philadelphia, PA, [9] I. J. Cox, M. L. Miller, and J. A. Bloom, Digital Watermarking. San Francisco: Morgan Kaufmann, [10] M. El Choubassi and P. Moulin, On the fundamental tradeoff between watermark detection performance and robustness against sensitivity analysis attacks, Proc. SPIE, pp , [11] M. El Choubassi and P. Moulin, Sensitivity analysis attacks against randomized detectors, in Proc. Int. Conf. Image Processing (ICIP), San Antonio, TX, [12] P. Moulin and R. Koetter, Data-hiding codes (tutorial), Proc. IEEE, vol. 93, no. 12, pp , Dec [13] H. V. Poor, An Introduction to Signal Detection and Estimation. New York: Springer-Verlag, [14] D. Kazakos, Signal detection under mismatch, IEEE Trans. Inf. Theory, vol. IT-28, no. 4, pp , Jul [15] F. Müller, Distribution shape of two-dimensional DCT coefficients of natural images, Electron. Lett., vol. 29, no. 22, pp , Oct [16] J. R. Hernández, M. Amado, and F. Pérez-González, DCT-domain watermarking techniques for still images: Detector performance analysis and a new structure, IEEE Trans. Signal Process., vol. 9, no. 1, pp , Jan [17] W. Feller, An Introduction to Probability Theory and Its Applications. New York: Wiley, [18] A. Dembo and O. Zeitouni, Large Deviations Techniques and Applications. New York: Springer, Maha El Choubassi (S 99 M 08) received the B.Eng. degree from the American University of Beirut, Lebanon, in 2003, and the M.Sc. and Ph.D. degrees from the Electrical and Computer Engineering Department (ECE), University of Illinois at Urbana Champaign (UIUC), in 2005 and 2008, respectively. She is also the recipient of the James M. Henderson Fellowship for the year from the ECE Department at UIUC. Upon graduating from UIUC, she joined Intel as a Research Scientist at the Microprocessor Research Laboratory, Santa Clara, CA. Pierre Moulin (S 89 M 90 SM 98 F 03) received the doctoral degree from Washington University, St. Louis, in After receiving the docotral degree, he joined Bell Communications Research, Morristown, NJ, as a Research Scientist. In 1996, he joined the University of Illinois at Urbana-Champaign, he is currently Professor in the Department of Electrical and Computer Engineering, Research Professor at the Beckman Institute and the Coordinated Science Laboratory, affiliate professor in the Department of Statistics, and Sony Faculty Scholar. His fields of professional interest include image and video processing, compression, statistical signal processing and modeling, media security, decision theory, and information theory. He has served on the editorial boards of the IEEE TRANSACTIONS ON INFORMATION THEORY and the IEEE TRANSACTIONS ON IMAGE PROCESSING. He currently serves on the editorial boards of the PROCEEDINGS OF THE IEEE and of Foundations and Trends in Signal Processing. He was cofounding Editor-in-Chief of the IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY ( ), member of the IEEE Signal Processing Society Board of Governors ( ), and has served IEEE in various other capacities. Dr. Moulin received a 1997 Career award from the National Science Foundation and an IEEE Signal Processing Society 1997 Senior Best Paper award. He is also co-author (with Juan Liu) of a paper that received an IEEE Signal Processing Society 2002 Young Author Best Paper award. He was 2003 Beckman Associate of UIUC s Center for Advanced Study and plenary speaker for ICASSP 2006 and several other conferences.